An Iranian hacker group that has been targeting Israeli and other Middle Eastern scientists and researchers for the past two years gave itself away when it failed to take even minimal steps to protect itself, a report issued Monday by Israeli cyber-security firm Checkpoint said.
The Rocket Kitten hacker gang, according to the report, has for the past two years targeted individuals and organizations in the Middle East, as well as across Europe and in the United States.
But as the report showed, they haven’t been very careful about protecting their identities – leading Checkpoint to term them “amateurs” despite the fact that they are nation-state hackers whose prime directive is to ensure that no one is able to connect them with their government.
Its sloppiness notwithstanding, however, the group has continued to operate, successfully targeting individuals and groups by using poorly crafted phishing emails as well as relatively unsophisticated malware. Said Checkpoint, “The attackers have struck again-and-again by making minor changes to their tools or phishing domains.”
According to the report, most of the attacks – 44% – were against targets in Saudi Arabia, while 14% of them were against Israeli targets. The Checkpoint researchers were able to determine this, they said, because the evidence of who was attacked and when they were targeted were listed in an openly accessible database, that was not even protected by a password.
“’Such a gaping hole must be a decoy. we immediately thought,” the Checkpoint report said. “There is no way nation-state attackers would err in such amateur fashion, leaving their phishing server database exposed… would they?”
Apparently they would, and in addition to allowing password-less root access to any browsing visitor, the hackers committed numerous other sloppy mistakes, such as failing to hide a path to the server from where the attacks originated – providing clear evidence that the attacks originated in Iran. Even the name of the head of the Iranian hacker program – Yaser Balaghi – along with a clear outline of his hacking activities, was easily accessible.
The existence and activities of the Rocket Kitten group have been known for some time, first reported last year by ClearSky, another Israeli cyber-security firm. The attackers’ identity – and the fact that they were Iranian – was discovered last June after the hackers targeted Dr. Thamar Eilam Gindin, after she said on Army Radio that she had been in touch with contacts inside Iran, who talked to her about Iranian linguistics and pre-Islamic Iran.
Using several phishing stratagems – sending her email loaded with malware, and later calling her up in an attempt to get her to download an infected document from Google Drive on the pretense that she was to be interviewed by the BBC’s Persian Service about her research – the hackers mounted seven attacks on her, trying to get her personal data. ClearSky was able to trace the activity back to servers in Iran, said ClearSky CEO Boaz Dolev – making this one of the few attacks where the identity of the hackers was clear.
“In general, it is difficult to ‘finger’ who is behind a specific attack, because it is easy for hackers to hide their identity, using fake IP addresses and other markers to throw investigators off the track,” said Dolev. In this specific case, however, “we were able to trace the command and control servers back to Iranian IP addresses, and there was all sorts of other anecdotal evidence, from the writing style to the language used in some of the phishing messages to the accents in phone calls made by hackers to fool victims,” said Dolev.
Following Clearsky’s revelations on the attack, first made in a previous report in 2014, security firm Trend Micro followed up on the case, confirming the information discovered by Clearsky. The Checkpoint report clearly delineated the timeline of investigation into the matter, going back to an original Clearsky report in 2014.
Following up on the matter based on concerns of its own customers, Checkpoint followed one of the attempted hacks by analyzing malware implanted in a customer’s server, easily tracing the command and control server to an Iranian IP address. On the server, investigators found a database listing the names of the members of the hacking crew (apparently real ones, as they were typical Iranian first and family names), as well as links to web pages infected with their malware (which was also found on the server). In addition, the database included a list of nearly 2000 targets – with their names, email addresses, and other information – targeted since August 2014, when the currently used server was apparently activated.
The investigators were able to access this information, said Checkpoint, because the hackers either did not password-protect files or used easy-to-crack passwords (such as 123456), and provided root access to files and databases for everyone. In one of the databases, the investigators discovered the name of Yaser Balaghi, who appeared to be the hacker gang leader, based on internal messages and emails. A simple Internet search enabled them to discover not only his background and education, but even a photo of him.
“We are happy that our inquiries and investigations assisted Checkpoint, and we assisted them as best as we could,” said Clearsky’s Ganor. “One takeway from this for all of us is that cyber-defense is a common concern today. There is no one company or organization that has all the answers and can prevent attacks. The only way to ensure true cyber-security is by working together. The cooperation between us, Trend Micro, Checkpoint, and many others was critical in preventing not only this attack, other, but more serious attacks as well.”